Internal audit is your third line of defense

In a perfect
world, internal controls would be 100% effective once implemented. In reality,
organizations needs multiple lines of defense or barriers to guard against the
risk that they will not achieve their objectives. The internal audit function
is the last of three lines of defense recommended by the Institute of Internal
Auditors (IIA) in its Three Lines of Defense Model.

As a
precursor to the three lines of defense, boards govern and determine strategy.
Senior management operationalizes the strategy and selects, develops and
evaluates internal controls, with board oversight.

Against this
backdrop, operational management is the first line of defense. It supervises
and manages operations to ensure compliance with risk and internal control systems.
Risk and compliance functions are the second line of defense, monitoring the
adequacy and effectiveness of internal controls, reporting, compliance, and
remediation of deficiencies. Both lines are accountable to senior management.

The third
and last line of defense is internal audit. It does not own, create, or manage
risks and it does not design or implement controls. It is unique because its
role is to provide objective and independent assessments to the board, as to
whether the other two lines of defense are operating effectively.

The IIA says
all three lines of defense are necessary regardless of an organization’s size.

Meeting your duty of care

Improve your internal audit function
by ensuring that it:

Preserves its independence by reporting directly to the board or
like body;

Is professional and uses internationally recognized standards; and

Has the required budget and access to resources.

For organizations without an internal
audit function, remember, there are several options for accessing this service,
ranging from the traditional in-house model to a fully outsourced team, and
various options in between.

Read more about strategies to help you implement an effective internal
audit function, or improve the one you have, in Finance and Accounting
PolicyPro (GV 1.08 – Relationship with Internal Auditors).

Policies and procedures are essential to managing cut-off and other internal controls, but the work required to create and maintain them can seem daunting. Finance and Accounting PolicyPro, co-published by First Reference and Chartered Professional Accountants Canada (CPA Canada) contain sample policies, procedures and other documents, plus authoritative commentary in the areas of finance and accounting and not-for-profit management, to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request a free 30-day trial of Finance and Accounting PolicyPro here.

Share this:

Apolone Gentles is a CPA,CGA and Ontario lawyer and editor with over 20 years of business experience. Apolone is leveraging 20 years of business and accounting experience to build a commercial litigation practice with an emphasis on construction law. She has held senior leadership roles in non-profit organizations, leading finance, human resources, information technology and facilities teams. She has also held senior roles in audit and assurance services at a “Big Four” audit firm. Apolone has also lectured in Auditing, Economics and Business at post-secondary schools. Read more here